File mp3gain-1.6.1-fix-CVE-2017-12911.patch of Package mp3gain

commit 4963fd9aedac00bcf051617e4d88f73ad5d68942
Author: Glen Sawyer <glensawyer@hotmail.com>
Date:   Mon Feb 5 15:29:38 2018 -0700

    Attempt to fix CVS-2017-12911.
    I do not have a crashing sample, so I cannot yet verify this fix

diff --git a/mp3gain/apetag.c b/mp3gain/apetag.c
index 1003059..f2d4f54 100644
--- a/mp3gain/apetag.c
+++ b/mp3gain/apetag.c
@@ -49,6 +49,12 @@ static int Lyrics3GetNumber5 ( const unsigned char* string )
 
 static int Lyrics3GetNumber6 ( const unsigned char* string )
 {
+	if (string[0] < '0' || string[0] > '9') return 0;
+	if (string[1] < '0' || string[1] > '9') return 0;
+	if (string[2] < '0' || string[2] > '9') return 0;
+	if (string[3] < '0' || string[3] > '9') return 0;
+	if (string[4] < '0' || string[4] > '9') return 0;
+	if (string[5] < '0' || string[5] > '9') return 0;
 	return ( string[0] - '0') * 100000 +
 		   ( string[1] - '0') * 10000 +
 		   ( string[2] - '0') * 1000 +
@@ -86,12 +92,14 @@ static int ReadMP3Lyrics3v2Tag ( FILE *fp, unsigned char **tagbuff, unsigned lon
 		free(*id3tagbuff);
 	*id3tagbuff = (unsigned char *)malloc(128);
     memcpy(*id3tagbuff,tmpid3,128);
+	if ( *tag_offset < (128 + (long)(sizeof(T))) ) return 0;
     if ( fseek (fp, *tag_offset - 128 - sizeof (T), SEEK_SET) ) return 0;
     if ( fread (&T, 1, sizeof (T), fp) != sizeof (T) ) return 0;
     // check for lyrics3 v2.00 tag
     if ( memcmp (T.ID, "LYRICS200", sizeof (T.ID)) ) return 0;
 	len = Lyrics3GetNumber6 (T.Length);
-	if ( fseek (fp, *tag_offset - 128 - (int)sizeof (T) - len, SEEK_SET) ) return 0;
+	if (*tag_offset < (128 + (long)(sizeof(T)) + len)) return 0;
+	if ( fseek (fp, *tag_offset - 128 - (long)sizeof (T) - len, SEEK_SET) ) return 0;
     if ( fread  (tmp, 1, 11, fp) != 11 ) return 0;
     if ( memcmp (tmp, "LYRICSBEGIN", 11) ) return 0;
     
@@ -167,6 +175,7 @@ int ReadMP3APETag ( FILE *fp,  struct MP3GainTagInfo *info, struct APETagStruct
     Ver = Read_LE_Uint32 (T.Version);
     if ( (Ver != 1000) && (Ver != 2000) ) return 0;
     if ( (TagLen = Read_LE_Uint32 (T.Length)) < sizeof (T) ) return 0;
+	if (*tag_offset < TagLen) return 0;
     if ( fseek (fp, *tag_offset - TagLen, SEEK_SET) ) return 0;
     buff = (char *)malloc (TagLen);
     if ( fread (buff, 1, TagLen - sizeof (T), fp) != (TagLen - sizeof (T)) ) {
@@ -285,6 +294,7 @@ int ReadMP3APETag ( FILE *fp,  struct MP3GainTagInfo *info, struct APETagStruct
 	(*apeTag)->originalTagSize = TagLen;
 
     if ( Read_LE_Uint32 (T.Flags) & (1<<31) ) {  // Tag contains header
+		if (*tag_offset < (long)(sizeof(T))) return 0;
         *tag_offset -= sizeof (T);
 
 		fseek (fp, *tag_offset, SEEK_SET);
@@ -355,14 +365,14 @@ int truncate_file (char *filename, long truncLength) {
  */
 int ReadMP3GainAPETag (char *filename, struct MP3GainTagInfo *info, struct FileTagsStruct *fileTags) {
     FILE *fi;
-    long tag_offset, offs_bk;
+    long tag_offset, offs_bk, file_size;
 
     fi = fopen(filename, "rb");
     if (fi == NULL)
 		return 0;
 	
 	fseek(fi, 0, SEEK_END);
-    tag_offset = ftell(fi);
+    tag_offset = file_size = ftell(fi);
 	
 	fileTags->lyrics3TagSize = 0;
 
@@ -373,7 +383,11 @@ int ReadMP3GainAPETag (char *filename, struct MP3GainTagInfo *info, struct FileT
 		ReadMP3ID3v1Tag ( fi, &(fileTags->id31tag), &tag_offset );
 	} while ( offs_bk != tag_offset );
 
-	fileTags->tagOffset = tag_offset;
+	if (tag_offset >= 0 && tag_offset <= file_size) {
+		fileTags->tagOffset = tag_offset;
+	} else { //Corrupt tag information, simply default to end-of-file
+		fileTags->tagOffset = file_size;
+	}
 
     fclose(fi);